-
RECON
-
STUDY THE PROGRAM
- #1 - Understand the terms:
- (a) Write down all (sub)domains in and out of scope;
- (b) Understand which types of vulnerabilities are considered valid or not for reports.
- #2 - Understand the application:
- (a) What this web application does; (b) How the AAA work in the application.
- #3 - Read and study some vulnerabilities that has already have been reported in the program.
- #1 - Understand the terms:
-
SUBDOMAIN ENUMERATION
- [ALWAYS GET NOTES OF THE OUTPUTS GENERATED BY THE TOOLS BELOW]
- #1 - Subdomain Discovery:
- (a) Scrap the domains (vertical) with AMASS, Sublist3r and Cencys;
- (b) Brute Force for find extra subdomains lists using AMASS, Sublist3r, Subbrute, AltDNS, DNSRecon, Knockpy.
- (c) Merge all the outputs generated by the previous tools. (LEARN PYTHON AND BUILT A TOOL TO MERGE ALL SUBDOMAINS)
- #3 - Content Gathering:
- (a) Screenshot every subdomain to analyse faster app functions AND use (FIND A TOOL) for interesting endpoints.
- [while you're analysing do the next steps]
- (b) Dirsearch to brute force directories.
- (c) Use JSparser to find relactive URLs.
- [ALL TOOLS ABOVE NEED TO BE TESTED AND COMPARED BETWEEN AMONG THEM]
- (d) Shodan, Dirsearch, JSParser, ffuf
- (e) webcreenshot
-
LINKED DISCOVERY
- GoSpider
-
if scope is "*.domain.com" #1.1 enumerate subdomain (sublist3r, aquatone)
-
DOMAIN TAKEOVER TEST
-
GOOGLE DORKS
-
SHODAN
- country: find devices in a particular country
- geo: you can pass it coordinates
- hostname: find values that match the hostname
- net: search based on an IP or /x CIDR
- os: search based on operating system
- port: find particular ports that are open
- before/after: find results within a timeframe
-
Censys
-
SecList
- Dirsearch
- Dirb
-
-
hidden GET & POST
- certspotter (Certificate Transparency log monitor)
MEDIUM
-
Sites and tools
- https://virustotal.com/
- https://www.shodan.io/
- https://crt.sh/?q=%25taregt.com
- https://dnsdumpster.com/
- https://censys.io
- http://dnsgoodies.com
These are the webs that I Use Everyday 🙂
[#3] Scan the adresses finded for > (a) all ports using nmap. E.g.:
[#4] Look for each service outdated and potentially vulnerable versions running on the ports
#2 - Acquisitions discovery > (a) - www.owler.com OR www.crunchbase.com (b)
#3 ASN, IP range enumeration/discovery >
(a) - Compare similarities of ASNumbers, IP/CIDRs
bgp.he.net / whois.arin.net / apps.db.ripe.net (search for company name)
whois -h whois.cymru.com $(dig [server] [name] [type] ) e.g.: dig +short tesla.com
amass e.g.: ./amass intel -org tesla OR amass.exe intel -asn [AS]
Shodan e.g.: org:"Tesla" (search for company name)
BUGCROWD
(1) Discover IP space
(a) bgp.he.net (search for company name and lookout IPV4/CIDR
(b)
whois -h [whois.cymru.com](http://whois.cymru.com) $(dig [server] [name] [type])type e.g.: dig +short tesla.com
(c) amass intel -org tesla
NICK PARK
- Identify IPs and Main TLDs
- Domain Scraping for Discovered TLDs
- Domain Bruteforcing, Resolve && Add new IP Ranges
- Portscan
- Visual Identification
- Platform Identification
- Content Discovery
- Parameter Discovery
-
-
EXPLOIT
-
CONCEPT
Passive testing
understand all the access points (gates) (e.g., HTTP headers, parameters, and cookies) / Information Gathering
Active testing
- Configuration and Deployment Management Testing
- Identity Management Testing
- Authentication Testing
- Authorization Testing
- Session Management Testing
- Input Validation Testing
- Error Handling
- Cryptography
- Business Logic Testing
- Client Side Testing
-
OPEN REDIRECT
-
INJECTION
-
COMMAND INJECTION
e.g.: exec in PHP or wscript.shell (ASP)
through form, cookie, HTTP header, etc
Tool: Commix https://github.com/commixproject/commix.git
-
HOST HEADER INJECTION
If the input is not properly escaped or validated, the Host header is a potential vector for exploits
Web cache poisoning, Business logic flaws in specific functionality, Routing-based SSRF, SQL injection
some websites will validate whether the Host header matches the SNI from the TLS handshake. This doesn't necessarily mean that they're immune to Host header attacks.
TYPES OF FLAWED VALIDATION
Non-numeric port scan, Use same arbitrary domain end as a whitelist, Inject, duplicate Host headers, Supply an absolute URL, Add line wrapping
Password reset poising
Dangling markup injection
-
CODE INJECTION
-
CROSS-SITE SCRIPTING (XSS)
DOM Based XSS (AKA Type-0) (Client)
Stored XSS (AKA Persistent or Type I) (Server / Client)
Reflected XSS (AKA Non-Persistent or Type II) (Server / Client)
-
SQL INJECTION
-
CRLF INJECTION
-
CSRF
-
XPATH INJECTION
-
EMAIL INJECTION
-
-
FILE INCLUSION
LOCAL FILE INCLUSION (LFI)
retrieve and execute files of local server
-
DIRECTORY TRAVERSAL
where it occurs: C#.NET, Python, PHP, ColdFusion, Perl, etc
how to find: vuln scan, code review, manual intrusion test.
web servers
via url when "=" exist. Use "/../" to search for above directories
application code and data, credentials for back-end systems, and sensitive operating system files
Poisoning NULL Byte
"%00" after filename
Log poisoning
Error logs, Access logs
/poc/self/
symlink of the instance of the target HTTP server
spoofing your user agent field to php code to achieve remote code execution by including file /proc/self/environ.
GET vulnerable.php?file=../../../proc/self/environ HTTP/1.1
Apache always logs the authorized users.
authorization prompt
REMOTE FILE INCLUSION (RFI)
execute files from the remote server.
-
-
XML EXTERNAL ENTITIES (XEE)
-
RCE
-
-
REPORT
- STRUCTURE
- TEMPLATE
- TIPS
-
BB SITE
Bugcrowdhttps://www.bugcrowd.com/
Hackeronehttps://www.hackerone.com/
Synackhttps://www.synack.com/
Japan Bug bounty Programhttps://bugbounty.jp/
Cobalthttps://cobalt.io/
Zerocopterhttps://zerocopter.com/
Hackenproofhttps://hackenproof.com/
BountyFactoryhttps://bountyfactory.io
Bug Bounty Programs Listhttps://www.bugcrowd.com/bug-bounty-list/
AntiHackhttps://www.antihack.me/
Yes We Hack: https://yeswehack.com/hunters/hisxo
-
TRAINING SITE AND VM
Rootme
Penetration Testing Practice Labs
Damn Vulnerable iOS App (DVIA)
Mutillidae
-
WRITE-UPS AND POC OUT OF BB SITES
SecurityBreached-BugBounty POC
-
TUTORIAL
DEFCON Conference videos on YouTube
How To Shot Web — Jason Haddix, 2015
Bug Bounty Hunting Methodology v2 — Jason Haddix, 2017
Hunting for Top Bounties — Nicolas Grégoire, 2014
The Secret life of a Bug Bounty Hunter — Frans Rosén, 2016
Finding Bugs with Burp Plugins & Bug Bounty 101 — Bugcrowd, 2014
How to hack all the bug bounty things automagically reap the rewards profit — Mike Baker, 2016
-
Stok steps
- Sign up for Hackerone to get Petes book Webhacking 101 bit.ly/hackerone-stok
- Watch anything you can from Jason Haddix just google it.
- Watch all the tutorials and do the CTF on Hacker101 bit.ly/hacker101-stok
- Sign up for Pentersterlab and try their stuff out! bit.ly/pentesterlab-stok
- Watch everything on https://www.bugcrowd.com/university
- Sign up for Hackerone (bit.ly/hackerone-stok) Bugcrowd or any other BB platform.
- Get a Burp pro license, its way better than getting a “ethical hacker course” https://portswigger.net/
- Find a program that you like and vibe with, its more fun to hack on a program or brand you like.
- Don’t waste time on VDP’s
- Don’t be discouraged that everyone else has automated everything, its just not true.
- Always approach a target like you’re the first one there. Your view is unique.
- Remember, Zero days can be new bugs in old code. Tavis has shown that over and over again.
- Be proud of your work, you did this!
-
Hacker 101
Firefox
Allow to proxy settings.
Report
Title — E.g. "Reflected Cross-Site Scripting in profiles"
Severity
Description — Brief description of what the vulnerability is
Reproduction Steps — Brief description of how to reproduce the bug
Impact — What can be done with the vulnerability?
Mitigation — How it fixed?
Affected assets — Gererally a list of affected URLs
Request format
VERB /resource/locator HTTP/1.1 Header1: Value1 Heade2: Value2 ... <Body of request>
Request headers
Host
Accept
Cookie
key-value
Server to client
Hierarchical domain application
2 Flags
Secure: only be access to HTTP
HTTPOnly: cannot be read by JavaScript
Referer
Authorization
-
-
WORDLIST
SecLists (Discovery, Fuzzing, Shell, Directory Hunting, CMS)
-
TOOL
- Altdns: Generate and resolve common permutations of subdomains to discover new assets.
- Assetnote: Monitor and track passive API data feeds to discover and notify you of new subdomains.
- Bugbounty Dash: A terminal based dashboard to oversee your bug bounty efforts.
-
ALL KNOWLEDGE NECESSARY TO BUG BOUNTY WEB APPLICATION
Reconnaissence, Understanding the scope, AAA (Authentication, Authorization and Accounting); Code injections (HTML, CSS, JS, PHP), XSS, CSRF, XPATHi, CRLF, XXE; Smuggler, Subdomain takeover, CORS, SSRF; Command Execution, Crypto Attack, Deserialization, Race Condition, Directory Transversal, File Inclusion, Redirect; SAML/SSO, LFI, RCE. IDOR; Know how to report (Template, Markdown).
ALL KNOWLEDGE -
Network: DNS; Types of requisition (GET, POST, …); Ports functions 80, 443 and 8080 + How to find them when hidden.Language: HTML, CSS and JS; Python (automation).
Reconnaissance, Understand program’s scope, AAA (Authentication, Authorization and Accounting);
CVE term
Code injections (HTML, CSS, JS, PHP), XSS, CSRF, XPATHi, CRLF, XXE;
Smuggler, Subdomain takeover, CORS, SSRF;
Command Execution, Crypto Attack, Deserialization, Race Condition, Directory Transversal, File Inclusion, Redirect;
SAML/SSO, LFI, RCE. IDOR;
Know how to report (Template, Markdown).
Created
February 9, 2024 16:48
-
-
Save vps-victor/c6803188719acdefc541308b925c066f to your computer and use it in GitHub Desktop.
Bug Bounty
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment